Post navigation

An Indian electronics and communications engineer who describes himself as a “security enthusiast with a passion for ethical hacking” has discovered a Facebook vulnerability that could have allowed for any photo on the site to be deleted without the owner’s knowledge.

Arul Kumar, a 21 year old from Tamil Nadu, discovered that he could delete any Facebook image within a minute, even from verified pages, all without any interaction from the user.

The vulnerability that he discovered was based around exploiting the mobile version of the social network’s Support Dashboard, a portal that allows users to track the progress of any reports they make to the site, including highlighting photos that they believe should be removed.

When such a request is submitted, and Facebook does not remove the photo in question, the user has the option of messaging the image owner directly with a photo removal request.

Doing so causes Facebook to generate a photo removal link which is then sent to the recipient of the message (the photo owner). The owner can then opt to click on that link to remove the image.

Kumar discovered that a couple of parameters within this message – ‘photo_id’ and ‘Owners Profile_id’ – could be easily modified.

With this information he then sent a photo removal request for an unrelated image on another account that he controlled. By changing the two parameters in the message received by the second account, Kumar could then choose to delete any image from any user on the network.

The victim of this photo removal technique would not be involved in the process in any way and wouldn’t receive any messages from Facebook – indeed the first they would know of this would be when they logged in to discover their photo(s) had disappeared.

Kumar explained that the exploit could be used to remove photos from any verified user, pages or groups as well as from statuses, photo albums, suggested posts and even comments.

As part of the process of responsible disclosure Kumar forwarded details of the bug to the Facebook security team who, at first, could not delete any photos by following his instructions:

Yeah I messed around with this for the last 40 minutes but cannot delete any victims photos. All I can do is if the victim clicks the links and chooses to remove the the [sic] photo it will be removed which is not a security vuln obviously.

Kumar then explained his bug by using a demo account, as well as sending Facebook a proof of concept video in which he showed how he could have removed Mark Zuckerberg’s own photos from his album.

This time, Emrakul from Facebook’s security team was able to see the vulnerability:

Ok found the bug, fixing the bug. The fix should be live sometime early tomorrow.

I will let you know when it is live so you can retest. Wanted to say your video was very good and helpful, I wish all bug reports had such a video 🙂

Unlike Khalil Shreateh who, two weeks ago, became frustrated with Facebook’s bug reporting process and hacked Mark Zuckerberg’s own timeline, the way in which Kumar reported this bug shows just how responsible disclosure should work.

By following Facebook’s whitehat guidelines he was able to pick up his deserved bounty.

6 comments on “Facebook vulnerability that allowed any photo to be deleted earns $12,500 bounty”

The biggest security hole in facebook photos is that if you know the image address of a photo in a set where the permissions are only for one photo, you can type in sequential image addresses from the photo you have access to to view them! Restriction is only implemented within the script of the facebook page and is not linked to the photos themselves so you can directly access them!

In order to know the image URL of a photo, you would ALREADY need to have permission to view the image in the first place!
If you can already view the image, you can just copy-and-paste it out, or screenshot.

How is this exactly a security hole?

"you can type in sequential image addresses from the photo you have access to to view them"
No, it doesn't.

To me, that first mail response about the bug was like saying: Yeah sure, bug, whatever, I pretended to type some stuff and nothing happened so get lost dork. Facebook idiots! They should be begging for information about the bug instead of blowing the guy off. With crap like that I am not surprised in the least that someone would just go straight for the "exploit the bug, create mass hysteria" route. I would be curious to see data (if there is any) of how many "hackers" got blown off like that not too long before their bad deed.